Don’t Rest on GDPR Laurels – Five Strategies for Keeping the Business Compliant and Thriving
The leadership role played by HR departments in the race towards GDPR compliance was critical, but it’s only the beginning
By Ian Osborne, Vice President UK & Ireland, Shred-it
May was a harrowing month for many businesses as they scrambled to get compliant with the new GDPR legislation, and much of that effort continued after the deadline. The HR department of UK companies felt particularly keenly the additional strain thanks to a) the amount of personal information they are responsible for on candidates and employees and b) because employee engagement and training are such an integral part of ensuring and demonstrating compliance.
Furthermore, the requirements to change processes and delete questionable data created added strain for many employees, something that HR teams also needed to manage.
So, on returning from summer holidays refreshed, it might be tempting to turn attention to other issues. Realistically, however, HR executives’ job is not done when it comes to GDPR.
According to research conducted by Shred-it in conjunction with Ipsos, 31 percent of businesses that have suffered a data breach have sacked an employee as a result. Alarmingly though, our research also found a disturbing lack of training that might prevent such an eventuality. Only two-thirds (66 percent) of large British businesses and 26 percent of small business owners have offered their employees specific GDPR related training, for example.
Clearly accountability is necessary, but it seems like a raw deal for employees to be removed from their jobs for negligence when that might have been prevented by appropriate training.
HR leadership is crucial in both mitigating the risk of a data breach and/or GDPR fines, and also in preventing the needless termination of employees contracts relating to data security mishaps. There are four key things that HR executives should consider in terms of their ongoing responsibilities for GDPR compliance:
- Balance the hammer with the arm around the shoulder – HR teams need to work with their colleagues in corporate communications to ensure that ongoing internal communications strike the balance between imparting the seriousness of adhering to company policies, while also engaging employees and maintaining motivation. To that end, meeting GDPR requirements needs to be positioned as a collective responsibility that the whole organisation is shouldering the burden of.
- Use everyday interactions to remind employees of their responsibilities – When it comes to GDPR, HR executives are setting the tone as key leaders of compliance efforts, while at the same time being at the coal-face of compliance in their everyday work. From processing CVs and interview feedback while maintaining a compliant data trail, to handling highly confidential materials like performance reviews and remuneration communications, HR professionals face GDPR compliance issues themselves every day. Not only does that keep data security front of mind, it also presents an opportunity for HR pros to use interactions with other departments relating to recruitment or employee development to remind them of simple process issues – i.e. use the file transfer method of choice, don’t leave printed CVs lying around on desks, don’t save performance reviews on your laptop’s desktop, etc.
- Identify the training gaps – When looking at our research, it was alarming to see so many businesses with big absences in their training programmes. Just over half (55 percent) of large businesses have trained their employees on the use of public Wi-Fi and only 70 percent have provided training on identifying fraudulent emails (the latter was the highest rate among any critical security training). The situation reported by smaller business owners was even graver.
- Train for retention – By “train to retain”, I don’t mean to hold on to talent (although that is also true given the ease at which companies are letting go of employees who make a mistake leading to a data breach). Instead, I’m referring to training that really sinks in with employees. It’s clear that many of the areas where humans particularly create a security vulnerability and GDPR risk, such as public WiFi and clicking on phishing emails, are simultaneously common sense but also easy to slip up on amidst the frenzy of a busy day. Getting these things right needs to become almost reflexive. It needs to be programmed into the muscle memory of our everyday working lives. To that end, training must be interactive, to place people within common scenarios, and it also must be regularly repeated to embed the right responses in testing circumstances.
HR leaders must display a continued appetite for leading on GDPR and demonstrate to the business that this is an ongoing concern. In doing so, employees are less likely to compromise the data security of the company, risking huge fines for the business and potentially their own employment status. Active communication and training plans can help HR to steer the ship in the right direction.